Step 2: Keystore

The keystore contains the ActiveMQ broker’s certificate and private key, which it uses to identify itself to the applications that connect to it.

In the working directory where you copied your PEM-format credentials, run the following commands. Substitute the names of your key and certificate files where necessary, and the common name of your ActiveMQ server’s certificate for activemq.example.com.

Note about passwords: These commands refer to an “export” password, a “source” password, and a “destination” password. All of these passwords must be the same.

Step 3: Finish

Move the keystore and truststore to ActiveMQ’s config directory. Make sure they are owned by the ActiveMQ user and unreadable to any other users. Configure ActiveMQ to use them in its sslContext.Double-check that you’ve made activemq.xml world-unreadable, since it now contains sensitive credentials.

Creating Keystores with Puppet

If you’re managing your ActiveMQ server with Puppet anyway, you can use the puppetlabs/java_ks module to handle the format conversion.

This approach is more work for a single permanent ActiveMQ server, but less work if you intend to deploy multiple ActiveMQ servers or eventually change the credentials.

The code below is an example, but it will work fine if you put it in a module (example file location in the first comment) and set its parameters when you declare it. The name of the class (and its home module) can be changed as needed.